jRAT
Associated Software Descriptions
| Name | Description |
|---|---|
| JSocket | |
| AlienSpy | |
| Frutas | |
| Sockrat | |
| Unrecom | |
| jFrutas | |
| Adwind | |
| jBiFrost | |
| Trojan.Maljava |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1123 | Audio Capture | ||
| Enterprise | T1037 | .005 | Boot or Logon Initialization Scripts: Startup Items | |
| Enterprise | T1115 | Clipboard Data | ||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| .005 | Command and Scripting Interpreter: Visual Basic | |||
| .007 | Command and Scripting Interpreter: JavaScript | |||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[1] |
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
jRAT has a function to delete files from the victim’s machine.[2] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1] |
| Enterprise | T1027 | Obfuscated Files or Information |
jRAT’s Java payload is encrypted with AES.[2] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[4] |
|
| .002 | Software Packing | |||
| Enterprise | T1120 | Peripheral Device Discovery | ||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1090 | Proxy | ||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
| Enterprise | T1029 | Scheduled Transfer |
jRAT can be configured to reconnect at certain intervals.[1] |
|
| Enterprise | T1113 | Screen Capture |
jRAT has the capability to take screenshots of the victim’s machine.[2][1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1] |
| Enterprise | T1082 | System Information Discovery |
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[4] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1049 | System Network Connections Discovery | ||
| Enterprise | T1007 | System Service Discovery | ||
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1] |
| .004 | Unsecured Credentials: Private Keys | |||
| Enterprise | T1125 | Video Capture |
jRAT has the capability to capture video from a webcam.[2][1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2] |
|
Groups That Use This Software
References
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.